The first time I saw this picture, I believe that some information must be hidden into it. After Googling, I found a wonderful tool named Stegsolve which can help with analyzing the hidden information in a picture.
If you are not familiar with Steganography, I recommend you to read the following Wiki page:
One famous approach to hide information into a picture is to store each bit of the information into the least significant bit (LSB) of the 8-bit color value of each pixel (24-bit bitmap). So let’s use the Stegsolve to extract this information, and the extracted data looks like below:
At the first glance, there seems no useful inforamtion. However, if you are very familiar with the Windows Portable Executable file format, you may find some similarities if you compare the extracted binary data with a PE file:
Now we can guess that the information hidden in this picture is actually an encrypted PE file and let’s see if we can decrypted it. From the comparison above, we can at least know two things:
1. The file seems encrypted by a byte-by-byte encryption algorithm.
2. Some special bytes like 0x00 and 0xFF seems keep the same after encryption.
What’s your finding here? Yes, the ciphertext only reverse the bit order of the plaintext! Now we can write a Python script to decrypt the file:
def bit_reverse(byte): out = 0 for i in range(0, 8): out += (byte & 0x01) out = (out << 1) byte = (byte >> 1) out = (out >> 1) return out data = '' for ch in open('gdssagh.bin', 'rb').read(): data += chr(bit_reverse(ord(ch))) open('gdssagh.out.exe', 'wb').write(data) print 'Result written to file gdssagh.out.exe.'